Reference13r2:Release Notes Security: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
(New page: This is the Security 13r2 Release Notes Document. Service Releases are planned for the second monday each month. For each of the service release the complete set of tests is executed. If ...)
 
m (Protected "Reference13r2:Release Notes Security" [edit=sysop:move=sysop])
(No difference)

Revision as of 16:47, 29 April 2022

This is the Security 13r2 Release Notes Document.

Service Releases are planned for the second monday each month. For each of the service release the complete set of tests is executed. If problems show up during the tests, the problems are fixed. This may cause a delay. The tests are started early, so that some delay is covered, but it still may happen that the patchday has to be moved. In this case it is hard to predict when the service release is good. It may be any day, so it would not be good to move the patchday by a fixed number of days, it still should be released as early as possible.

Please see the disclaimer before using the information presented here!


Security 13r2

13r2 Service Release 12 (136349)

124576 - Protection against theoretical XSS possibility in pbx_appclient_popup.htm

URLs given in the "url" parameter are now filtered for javascript code.

13r2 Service Release 13 (136357)

124821 - Potential restart on some special login requests to Advanced UI

Maybe caused by an attack

124652 - TLS: Possibility to disable client-initiated renegotiation

Renegotation can now be disabled in the TLS settings.

  • Applies to TLS 1.0, TLS 1.1 and TLS 1.2 in the firmware. TLS 1.3 does not support renegotiation.
  • Renegotiation could be used by attackers to cause additional CPU load on servers.

Advanced UI:

  • New flag IPx / TLS / Disable renegotiation

Config lines:

  • config change TLS0 /no-renegotiation
  • config change TLS6 /no-renegotiation

13r2 Service Release 14 (136373)

127224 - App Events: Do not broadcast syslog messages on not authenticated WebSocket connections

Syslog messages delivered to the Events instance were sent over WebSocket connections that were not authenticated via AppLogin. Reported by trizwo GmbH IT & Communication, trizwo.de.

For more details: <a href="https://wiki.innovaphone.com/index.php?title=Support:V13_Events_App_syslog_forwarded_without_authentication" target="_blank">https://wiki.innovaphone.com/index.php?title=Support:V13_Events_App_syslog_forwarded_without_authentication</a>

13r2 Service Release 17 (136386)

131497 - Advanced UI: Prevent XSL injection

The servlets for the advanced UI accept an "xsl" URL paramter that specifies the XSLT file for displaying the corresponding page.


Before this fix it was possible to specify a DATA URL containing a malicious style sheet that could be used for phishing attacks.


After this fix no values containing a colon are allowed, like:

  • xsl=data:...
  • xsl=data%3A...
  • xsl=data%3a...
  • xsl=javascript%3A...
  • xsl=http%3A...
  • ...

So only the pre-defined style sheets from the box are allowed.


Reported by trizwo GmbH IT & Communication, trizwo.de.

132044 - Fixed command injection vulnerability by modification of service id during app upload

VID-EXA-20220929.1
CVE-2022-41870

Just possible with access to the AP Manager and knowledge of the password of the AP Manager.

The service ID is now validated and must only contain a-zA-Z0-9_- chars.
Thus no command injection vulnerability is possible anymore.

Reported by: Dennis Herrmann of Code White GmbH


Note: the CVE score is wrong (at 7.10.2022), as the CVE has been reported with wrong "Privileges Required" and "User Interaction" tags. Privileges Required must be "High" instead of "None" and User Interaction "Required" instead of "None".

With correct tags, the score would be much lower!

13r2 Service Release 21 (136409)

139670 - Addtional protection against theoretical XSS possibility in pbx_appclient_popup.htm

  • The page does not work anymore, if loaded without a window.opener.
  • The page does not work anymore, if loaded in a standard browser, just in the myApps launcher.
  • The URL-Parameter does not allow data-URLs anymore.

13r2 Service Release 22 (136416)

142560 - App Devices: do not allow to provision a device to a different domain if already provisioned

It is not longer possible to provision a device into another domain if the device is already inside a domain in devices.


If you want to reprovision a device to a different domain, you must first remove it from its current domain.


13r2 Service Release 23 (136420)

144019 - myApps Windows: improved signature validation in update service

13r2: End of life